Public certs removing client authentication breaking Expressway - Page 2

mhurley131 · ‎10-24-2025

I just received my first publicly signed certificate that does not include the client authentication key usage. Apparently this is an industry change happening:

https://www.sectigo.com/resource-library/tls-client-authentication-public-ca-end-2026#:~:text=Sectigo%20announced%20that%20starting%20September,no%20exceptions%20will%20be%20granted.

Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.

If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA. Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.

Is Cisco aware of this change and is there a recommended path forward?

samuel.gay · ‎11-06-2025

FYI 2 days ago I tried to get a new certificate with Gandi (which relies on Digicert or Sectigo). In both case I get only a certificate with "TLS Server authentication" EKU. From what I see with Gandi you don't have the possibily to request "TLS client authentication" EKU.

According to Digicert KB it is still possible to request a certificate with "TLS client authentication" EKU: https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates#october.

krcollab · ‎11-10-2025

Did you try Digicert and did they provide you with a cert in the end that had the EKU?

krcollab · ‎11-06-2025

Checking back to see if anyone has successfully received a certificate from a CA with the client EKU. I know many people were trying other providers but I have yet to hear of anyone actually receiving a cert.

Manual404 · ‎11-11-2025

I guess it's time for ExpressWay decomm.

Roger Kallberg · ‎11-11-2025

There will be an update of the operating system in Expressway that handles certificates not having the EKU. In this thread it’s been referred to two times.

krcollab · ‎11-11-2025

I saw that, but it doesn't help our customer whose system is already dead in the water or any customers whose certs expire before whatever future date the non-EKU version is released.

Mohammadreza Hadi · ‎11-11-2025

dear @krcollab

Here in cisco forum, peoples work & post voluntarily..
and they have no responsibility at Cisco..

We are also involved in this issue and have many problems..

(Rate by "Helpful" or "Accept") (محمدرضا هادی_ایران) (Email: morez.hadi@gmail.com)

krcollab · ‎11-11-2025

I didn't think anyone in the conversation was from Cisco or in any way responsible for the issue. The issue itself isn't Cisco's fault, it's a change pushed by the CAs. I was just pointing out, because of the statement "In this thread it’s been referred to two times" that I am aware that Cisco is planning on releasing an Expressway version with a workaround. However, that doesn't fix currently-broken or soon-to-be-broken systems so I've been asking in the thread whether anyone has been successful in actually receiving a cert with the EKU from any CA, as that is currently the only way to get things working again.

Roger Kallberg · ‎11-11-2025

We just got Sectigo to issue us new certificates that includes EKU. So it is possible to get the public CAs to live up to what they states in their FAQs that between October 7 through May next year it should be possible to get a certificate that includes EKU.

mohammedali.dalvi · ‎11-12-2025

Faced the same issue with Sectigo, exceptions only supports if you have enterprise certificate manager.